Post navigation

A little under two years ago, I looked into how one might go about securing an eBay account using two-factor authentication (2FA).

At the time, it wasn’t clear if 2FA was supported on eBay officially or not, and I found a number of dead-end paths when trying to actually set up my account with 2FA – old documentation pages about 2FA appeared to be buried or completely deprecated, many links were completely dead. Calls to customer service didn’t help much, as the reps I spoke to had no idea what I was talking about or why I was asking.

There were legacy documentation pages about using a third-party time-based token authentication service, but these were mostly dead-ends as well and I had, to put it mildly, an extraordinarily difficult time trying to set things up.

By the end of it all, I had tried (and tried!) to set up 2FA on my account, but really to no avail. I concluded my piece with a plea for readers to let me know if I’d missed something obvious in trying to secure my account, or at the very least to ask eBay nicely to make this process easier.

Over time, many of our Naked Security readers chimed in on my story saying that either they’d had similar processes, or they’d discovered a workaround entirely.

As more time passed, the comments started to change tone entirely, that actually the 2FA process was super simple and easy to do now. Based on what readers like you had commented, it sounded like something had changed for the better. Clearly, it was past time for me to revisit this story.

I’m quite relieved and thankful to report that since I first wrote this the eBay 2FA story, eBay has not only binned its previous byzantine 2FA procedure, but it’s replaced it with something that’s both easy to find and easy to use.

Now, happily, this is how you can easily set up 2FA on your eBay account.

Log in to your account.

Go to your account settings by clicking on your name in the upper left (where it says “Hi [your name]!”) and clicking Account settings in the dropdown.

In the My Account menu on the left that now appears, click Personal information.

Scroll to the bottom of the Personal Information screen, and you’ll now see a field that says Security Information, with the 2 step verification option underneath it. If it is switched to “off”, click the Edit option on the right.

Follow the instructions on the screen. eBay 2FA supports voice and SMS factors (no support for time-based token authentication, like Google Authenticator or Duo, as far as I can tell).

You’ll get a confirmation once it’s set up. Easy peasy!

I’m relieved that eBay has now made this much easier for users, and hope if you’re an eBay user you’ll take a quick moment to get this set up on your account.

7 comments on “How to set up 2FA on eBay – go do it now!”

eBay used to have a great 2FA feature using the Symantec VIP authentication token, back before anybody was even talking about 2FA. You could get a token with an LCD screen, use a special Yubikey, or get an app for your phone. Unfortunately when eBay and Paypal split, Paypal kept the support for the token but eBay was back to password only. It is good to see they support something again, but unfortunate that it is only SMS.

The same reason for everything else in preventative security:
cost and hassle vs. perceived benefit

There’s a shrinking-but-still-quite-significant ratio of people who lack appreciation and view proper security measures as an inconvenience. Okay, using proper security admittedly is an inconvenience, but *they* view it as one with not enough ROI–some inexplicably even after fighting identity or monetary theft issues.

“I didn’t get hacked yet again today, and my password is still better than Grandma’s password.” We all know how precarious that stance is, but to them, “500 days of not getting hacked” still overshadows the one outlier.

Then some who realize they *should* do better…mean well but never do. Yubikey on their ‘To Do’ list, they plan to ‘someday’ learn to use a password manager. By contrast, SMS is on the phone they already have and requires two minutes to configure and validate.

Companies must gauge their clientele before forcing security–or they annoy people and lose business. Even keeping it optional means there’s more to go wrong and more to support. Until the aforementioned ratio vanishes, this corporate hesitance will remain.

Do NOT enable Ebay’s horrible implementation of 2FA. I repeat… DO NOT enable this!!

2FA via SMS txt is 100% insecure! Jeeze… 60 Minutes even did a story on this where they hijacked 2 separate United States Senator’s TXTs & voice calls. And no, they didn’t resort to hacking their individual phones & installing malware. They simply hacked into the national cellular GRID and eavesdropped on their calls in real-time! The mobile grid can be snooped on by ANYONE in the world with the correct a laptop & the cellular network sniffing programs (hello…. basically anyone with access to bittorrent or hacking forums).

Worse yet, you don’t even need to be a hacker. There are literally thousands and THOUSANDS of stories of random people simply calling up the telco and SOCIAL ENGINEERING their way into your acct… ie… getting the ATT or T-Mobile CS agent to simply switch over your mobile acct to some other random person’s new SIM card!! Presto, you’ve just lost access to your phone #, Data, and SMS txt msgs. So much for that secure 2FA code sent over SMS.

I repeat, DO NOT enable any 2FA that ONLY allows authentication tokens sent over SMS or voice! Doing so actually exposes your acct to a greater risk of being hijacked vs. simply using a username and LONG random password. Ebay allows massive 64+ char passwords (unlike Paypay).

I heaar you, but it’s not clear how a username + password + SMS 2FA code is *less* secure than just username + password, given that most people don’t get SIM-swapped, and given that many mobile providers these days allow you to lock down your mobile account to make it much harder for anyone (admittedly including you) to get a new SIM issued.

I suspect that the main reason that SMS 2FA appears to reduce security is because people treat the 2FA part as 1FA – in other words, they use the existence of 2FA as an excuse for picking a rubbish password that’s easy to guess, and fall back on the second factor of authentication as if it were their only security.

In other words, if the only sort of 2FA that you have is SMS-based, pick a password that you think is strong enough to use without 2FA, and then add the 2FA part anyway – in the same way that you almost certainly leave your car’s airbags activated even though you always wear a seatbelt.

(Very many more people get keylogged than get SIM swapped. And keyloggers give the crooks your password *no matter how long and complicated it is*. Yet you aren’t suggesting giving up on passwords because keyloggers are a reality.)